[ Friday, March 27, 2020 ]
Jeff [12:44 PM]
Seems like everyone's using Zoom these days. One thing to be aware of, though, with respect to the free Zoom service: as Consumer Reports points out
, their terms of service allow them to use a lot of the information you transmit, particularly if you use the free or low-cost service. (As always, if a service is free, the service isn't the product, you/your information is).
That doesn't mean they are doing so, just that they could use an attendee list, or even a video, powerpoint or document transmitted on the service to do targeted marketing, or potentially to sell to third parties. Zoom hasn't responded to Consumer Reports, though.
This highlights two things: think about the services your are using that get to view your information and find out what they can do with it (especially find out if they are actually doing it or deny doing it, even though they have the right to). And make sure you get a BAA if (i) you are a covered entity under HIPAA and (ii) any of the information that the service comes into contact with might be PHI.
I've looked at Zoom's BAA. It's ok ("meh"). Doxy.me has a much better one. But both are minimally sufficient.
UPDATE: one other thing: be the host, if you are the CE. The host gets to keep data too; that's not a terrible idea, and if the host was in the meeting the host had access to that information, at least at the time of the meeting, so having it later isn't a whole new thing. But it's like recording a call: don't be surprised later that the meeting host has what amounts to perfect memory. And if you are the host, be aware of where the recording is stored and transmitted, and how it's used; if it's a telehealth visit, it's PHI, so it should be stored like any other medical record (encrypted at rest and in transit, hopefully).
Blogger: HIPAA Blog - Edit your Template